What is EU GDPR?

EU GDPR is an abbreviation of the words European Union General Data Protection Regulation. It refers to the data protection regulation of the European Union, which is enforced since May 2018. The purpose of the regulation is to harmonise the data protection practices of the EU countries and organisations operating in the EU, and to improve data security for the citizens of the member states.

With the enforcement of EU GDPR, we as a company want to improve the transparency of our operations. We have renewed our Privacy Notice and Terms of Use in order to give you more information about how and for what purposes your user information is used.

Is there something I need to do?

There are three things that we ask you to do.

Please read the revised Privacy Notice and Terms of Use. When you log in to Polar Flow, we ask you to confirm that you’ve read the Privacy Notice and that you agree to our Terms of Use.

Verify your email address. We will send you an email with a verification link. We do this to make sure that your email address is not being misused and that the person behind this email address really is you. When you get the email, open it and click on the verification link.

Give certain kinds of consent required to use our services. Read more about these types of consent here.

You can change your consents through the Settings page in our service, or at account.polar.com at any time. However, changing them means that you won’t be able to use our services anymore, and your account and data will be deleted after six months.

Why do I have to verify my email address? What happens if I don’t do that?

By verifying your email address, we make sure that no one else is using your email address behind your back and that it is really you who is using Polar services. User identification is also a requirement in data protection laws in many countries.

Once you receive the verification email, you have 30 days to verify your email address. If you don’t verify your email address in the 30 day time frame, your account will be locked and you can no longer log on to your account. However, you can still synchronise data from your Polar product to your account.

If you don’t receive the verification email, sing in to Polar Flow or any other Polar service you are using and request a new verification email. Make sure the message has not ended up in your spam folder. If you don’t receive the verification email even after requesting a new message, please contact our Customer Care team.

When the 30-day time frame for email verification has passed, first your account is locked and then deleted after seven months. There is a six-month grace period during which you can still verify your email and stop the user account deletion process. If you don’t act, then there is the actual deletion period which takes one month, and altogether this process takes seven months.

What are the kinds of consent that I need to give?

These kinds of consent are not only required in the data privacy standards of many countries, but they also help you understand how we use your data.

The types of consent are divided into two groups. Firstly, there are the mandatory consents which are separated into smaller entities because of legal reasons. You need to give these consents to be able to use Polar services. You can also withdraw them at any time, but you should be aware that this will prevent you from using Polar services, and after six months your account and all your data will be deleted permanently. We will notify you by email two weeks before the deletion, and you still have a chance to give the consents and cancel the deletion.

The following are the mandatory consents:

Consent to use your personal information: email, age and location. This is information that you give us when creating a Polar account. We use it to provide you with accurate personal calculations such as burnt calories and Training Benefit feedback.

Consent to handle your sensitive personal data. Together with personal information sensitive personal data makes up the fuel that the algorithms need to provide you with individual calculations. In Polar’s case, sensitive personal data refers to heart rate data, activity data and sleep data, in other words health data that our products and services collect from you.

Consent to transfer your data outside your home country. Polar is a global company that offers and supports services all over the world. Most of our customer data is hosted on servers located in the EU (e.g. Finland). However, some monitoring and remote work is done elsewhere. We use highly reputable and secure world-class data storage platforms. All the partners involved in providing Polar services to our customers are chosen carefully.

Consent from the guardian of a young person (under 13 years of age). Customers who are under 13 years of age need consent from their guardian to use Polar services.

Second, there is one voluntary consent for marketing communication. If you choose to not give this consent, it will not affect your use of Polar products and services:

Consent to send marketing messages. We want to bring to your attention new features, system enhancements, updates and ways to get the most out of your Polar product, as well as inform you about new Polar products and exclusive offers to Polar customers. You can withdraw this consent at any time, and this will have no impact on your Polar product and Polar account use.

As a user of Polar services and products, you may also receive important notices about them from time to time. These important notices related to the use of products and services are not marketing messages, but are essential information concerning our products and services and their use. For this reason, it is not possible to opt out of receiving them. We also inform all our customers – including those who have opted out of marketing messages – of any changes to our Terms of Use or Privacy Notice. We hope you read these messages, because they may contain important information that applies to you.

What happens if I don't consent to my personal data being used?

If you withhold any of the mandatory consents, you won’t be able to use our services anymore, and your account and data will be deleted after six months. We will notify you by email two weeks before the deletion, and you still have a chance to give the consents and cancel the deletion.

If you want to withdraw any of the consents once you have given them, you can always do so on the Settings page in Polar Flow or at account.polar.com. However, please note that this will prevent you from using our services.

The consent to receive marketing messages is voluntary, and it does not affect your use of our products or services.

Why do I have to tick so many boxes and give so many consents to be able to use Flow/polarpersonaltrainer.com?

The consents and agreeing to the new Terms of Use are there for making sure that you, Polar customer, feel safe with your data. We do not ask you to agree to the Privacy Notice, we only want you to check the box to let us know you have read the Privacy Notice that explains what we do with your data.

The consents we ask you do not give Polar any more rights to use your data than we had before. In fact, they put more limits to the rights. So all this is to keep your data safe and to give you more control over your data. The European Data Protection Regulation has some specific requirements for companies concerning the use of customer data. For example, if consent is used as the legal basis for processing certain type of data, we cannot keep or process your data without your consent. So we need your approval to continue doing what we have done before or we must delete your data.

Has the way Polar uses customer data changed now that GDPR is effective?

The way Polar uses customer data has not changed. However, due to GDPR requirements we are now required to inform our customers of what our legal bases for processing different types of data are.

Polar has chosen consent as the basis of most processing actions. So, in order to keep doing what we have done before, we now need to ask your permission to do it. We also need to have your permissions recorded in our systems.

The law stipulates that if you do not give your consent to us or withdraw it at any point, we don’t have any right to keep your data and must delete it. We keep your data for some time just to make sure that you really don’t want to give us your consent and want your data removed, and then proceed with deleting it.

If you used Polar services before the GDPR, you gave us your consent to save and process your data with one click when you accepted our Terms of Use. After the GDPR, all our customers have to confirm again that they’re ok with Polar processing their data – even if they accepted our Terms of Use previously. You can compare the previous and current legal texts at:

Can you confirm that you do not sell my data, or have you ever sold my data to a third party?

Rest assured that we never have and never will sell any of our customer data to a third party.

Where is my data stored? Can you tell me where your cloud service is located?

The information in your Polar account and all of your Polar Flow exercise and activity data is saved in the Polar Flow ecosystem. The data is stored in databases owned by service providers located in the EU (e.g. Finland, Ireland) and outside the EU (e.g. USA). Some of the monitoring and ancillary activities of the ecosystem (e.g. sending automatic messages) are conducted from outside the EU, which means that your data may be transferred outside the EU. The term “transfer” also covers remote use of data, so it is possible that your data that is stored in the EU is also handled from outside the EU. If your data is stored or handled outside the EU, protection mechanisms approved by the EU, such as the EU-U.S. Privacy Shield or EU’s model contractual clauses, are always applied.

Is it safe to transfer data outside Europe?

If Polar transfers data outside the EU and EEA, the transfer is protected with protection mechanisms approved by the EU. These are:

The actual physical data transfer is always encrypted and conducted over a secure connection.

How is the data protected? What do you do to protect the data?

Polar protects the data by using technical, physical and administrative security measures designed to prevent unauthorised access to Polar systems. Polar uses, for example, encryption techniques, pseudonymisation/anonymisation and other security technologies. Our servers are protected by firewalls.

How many registered Flow users are there?

Unfortunately, we cannot disclose this information, as it is covered by corporate security.

Who can process my data? Who has access to the users’ data? How many people have access to the users’ data? How is the data shared with third parties?

Only persons who need to process user data in their work (e.g. Customer Care) have access to user data. Processing is legally a broad term which also covers the storage of data, access to data (directly or remotely), data transfer etc. On a large scale, user data is also processed by third parties to which we refer in our Privacy Notice. These third parties include, for example, the bodies we use to produce the Flow platform and to store data. To some extent, we also use subcontractors in our planning and development work. We have strict confidentiality agreements with them, and they rarely have access to actual user data. In other words, we only share data with third parties for maintenance, monitoring and development purposes and do not allow them access to actual user data.

Is the password of my account encrypted, and what algorithms have been used?

For security reasons, we don't disclose what encryption methods we use.

What information do you have about me?

You can review your data directly in the Polar Flow service (https://flow.polar.com) or at polarpersonaltrainer.com. Your account information and all data concerning your Polar products and use of the services come directly from you. We store the information you have provided (e.g. when creating your Polar account or editing your information) and data that we obtain from your registered Polar devices. When you synchronise a registered device with the Flow service, the data on the device is stored. You can also add and edit your information in the Flow service and the Flow mobile application. If you do not want to use the Flow service, you can ask our Customer Care to send your account information to you.

If you would like to review any other information we may have about you (such as your polarpersonaltrainer.com data, purchase history, Customer Care contact history, or service history), contact our Customer Care.

Does Polar collect data about me and what is it used for?

We use your training data to offer you the service you have requested. In other words, to give you the training results and e.g. show you how active you are during the day. We don’t use it for anything else and we don’t look at individual customer data without a request from user.

We may use anonymous data for statistics as well as research and development. However, that data contains no personal data that could be traced back to any individuals. The research and development use is purely to improve our services so that we can make our algorithms even more precise or develop new features. All that work cannot be done without data.

I would like to exercise my right to object to the handling of my personal information for research and development purposes. How do I do that?

Contact our Customer Care and give us a justified reason why you want to object. The right to object is not absolute and for us to restrict using your data for research and development purposes, we need solid reasons for you to exercise your right.

Please remember that all data that we use for research and development purposes is anonymized and it cannot be linked back to you.

I would like to refuse automated decision making/to request handling personal information to be restricted. How do I do that?

This right is not absolute and can be exercised if these processes cause legal effects or significantly affect you. Polar doesn’t do the kind of automated decision making that would cause you any significant effects.

If you wish to restrict the handling of your personal data, please send a valid reason for it to our Customer Care.

I would like to exercise my right to refuse profiling. How do I do that?

This right is not absolute and can be used if these processes cause legal effects or significantly affect you. Polar does not do that type of profiling and therefore we cannot comply with requests such as this.

According to GDPR, the type of profiling that you as the data subject have right to object to is: "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

The profiling that Polar does is completely different. We use anonymized data masses to, for example, find groups of customers with similar goals or fitness interests (etc.) to send them articles they might find interesting if they have given their consent for marketing messages. So there are no legal effects or similarly significant effects to our customers' lives in this type of profiling.

We have the "right to refuse profiling and automated decision-making" listed with other rights in our privacy statement because we want our customers to know their rights listed in the law. So you have the right to object and if we did the kind of profiling the law refers to we would stop it.

Why did I receive a newsletter about changes to the privacy notice despite the fact that I have not subscribed to it?

The message you received is not a newsletter. In some situations, Polar has a legal obligation to inform all users of changes to, for example, our Terms of Use or our Privacy Notice. These messages are sent to all users, not only those who have subscribed to our newsletter.

How can I cancel my newsletter subscription?

An option to cancel the newsletter subscription is provided at the end of all newsletters from Polar. You can also refuse marketing messages in the settings of the Polar Flow service or at account.polar.com. You can do this (or check whether this setting is already active) by logging into the Flow service. Click on your name to edit your profile. Select Settings – Privacy and check that Newsletter is not selected.

What is a Polar account?

It’s the user account that you use to log in to Polar Flow and polarpersonaltrainer.com. Your username is your email address, and you can only create one Polar account with the same email address.

In addition to Polar Flow and polarpersonaltrainer.com, your Polar account also works with the Polar Newsletter subscription and Polar Club. This means that if you’ve subscribed to the Polar Newsletter or used Polar Club at some point, you’ve created a Polar account at that time.

Note that you cannot sign in to the Polar webstore with your Polar account. The Polar webstore account and Polar account are two different accounts.

How can I remove all my data from your database and close my account?

You can delete your account yourself at account.polar.com. Log in with your user name and password and click on “Close your account” on the left to access the Close account button. Click the button to proceed and the portal will guide you through the process. This procedure removes your Polar Flow and/or polarpersonaltrainer.com account and data.

If you have also e.g. had your device repaired or serviced, made purchases in the Polar webstore, or been in contact with Customer Care, and you want to have all data related to these removed, please contact Polar Customer Care so that we can initiate the deletion process. Deleting everything happens in two parts.

The Polar Flow/polarpersonaltrainer.com account removal is a process that takes one month from beginning to end. Two weeks after your deletion request you’ll get an automated notification reminding you that the final deletion is going to happen in two weeks. At that point you can still cancel the removal process. If you don’t do anything, your account and all your training data are then deleted permanently.

All your other data, such as your device’s service history, your purchase history and Customer Care contact data, will be deleted separately unless an applicable law requires us to retain it. Polar Customer Care will notify you when this data has been deleted.

Please note that the Polar Flow and polarpersonaltrainer.com services and some of the features of your Polar product will be unavailable to you after we have deleted your account. You will not be able to synchronise your data with our service or update the firmware version of your device.

How do I review the data you have about me?

You can review your data directly in our web services at https://flow.polar.com or polarpersonaltrainer.com or account.polar.com. To review any other information (such as your purchase history, Customer Care contact history, or service history), contact Customer Care.

How do I export my data out of Flow?

You can download your data at account.polar.com using the “Download your data” button. Please note that the export contains all of the Polar Flow data that was originally provided by you (for example, data given by you during the account registration process), and most of the data coming from the Polar devices or Polar apps you use. This export does not include any data that is derived from the data provided by you using Polar algorithms so, for instance, activity and sleep information are not included in the exported file.

This data download functionality is not a mass loader for exercises even though all of your exercises are included. To download complete exercises, you need to log in to Flow and export your training sessions from there. For instructions, visit https://support.polar.com/uk-en/support/how_do_i_export_individual_training_sessions_from_polar_flow_web_service.

How do I export my data out of polarpersonaltrainer.com?

Is my data encrypted when it is stored and transferred? Do you support the Perfect Forward Secrecy protocol?

Some of the data is encrypted when it is stored, but not all. All data is encrypted when it is transferred, for example when you synchronize data from your wrist device to the Flow mobile app or through FlowSync to the Flow service. Perfect Forward Secrecy is not supported at the moment, but we are planning to support it in the future.

If I have selected the privacy setting “Private” for my profile/exercises/activity summaries, does this mean that information that I have shared, for example on Facebook, is also private?

The “Private” setting only affects your Flow account and prevents Flow from sharing your data with third parties. If you yourself share information in third-party applications or, for example, write something in the club-specific discussion section of the Club application, other users will be able to see this information even if your privacy setting in Flow is “Private”. For comprehensive guidance on our privacy settings, please see https://support.polar.com/uk-en/support/how_to_manage_privacy_in_the_flow_web_service.

I do not accept your terms of use or agree to your privacy notice and wish to use only some of the services. Is this possible?

Unfortunately, it is not possible to use Polar Flow or polarpersonaltrainer.com without accepting the Terms of Use and acknowledging that you have read the Privacy Notice. Some of our devices can also be used without Polar Flow or polarpersonaltrainer.com, but in that case, some of the features will not be available. You will also not be able to synchronise your data with our service or update the firmware version of your device.

What kind of data is transferred outside the EU/EEA?

All data in our databases can be backed up to servers located outside the EU if necessary. Training data and personal data are primarily stored on servers located in the EU, and it is mainly just monitoring data and automated messages that are stored outside of the EU. If Polar transfers data outside the EU and EEA, the transfer is always protected using protection mechanisms approved by the EU. These are:

The actual physical data transfer is always encrypted and conducted over a secure connection.

Has data been transferred outside the EU when the previous privacy policy was in use?

The possibility for data transfer is mentioned in the previous privacy policy as well, but it is described in more detail in the new Privacy Notice. The new version also describes the protection mechanisms used in the transfer in more detail.

If I request that my data is removed from Polar’s services, can you guarantee that it is removed from all places where it has been transferred from Polar’s services, including systems belonging to third parties?

Polar has detailed processes for deleting data in order to ensure that the data is deleted from all places where it may be stored. However, Polar does not have access to systems belonging to third parties where you yourself have shared your data (e.g. Strava), so you will have to contact them yourself to request that the data is removed.

What does data protection mean?

Personal data protection is a basic right that protects your privacy. Personal information includes your name, email address, telephone number and all other information through which you can directly or indirectly be identified. Data protection includes methods and processes for keeping this data safe. Data protection must always be taken into account when handling personal information.

What do different protection methods mean?

Protection techniques refer to software and methods used to protect data. For security reasons, Polar does not specify what software is used. Protection techniques also include methods for handling data, rules concerning who can handle data, ensuring safety and reliability when cooperating with a third party, etc.

Who are Polar’s subsidiaries and subcontractors?

The Polar Group includes many different companies around the world, but mostly within the EU. With the help of the subsidiaries, Polar can, for example, work more comprehensively in different language areas. All of Polar’s subsidiaries work together with Polar for the benefit of our customers. Polar also uses subcontractors to some extent, for example to produce services, service infrastructure, etc. We only use trusted partners who are bound by confidentiality.

Where can I find the contact information of the data protection authority in my country?